Whodunit? In cybercrime, attribution is not easy

"Whodunit" is essential to solving crimes. You can't make an arrest or prosecute a crime if you don't even know who committed it.

That makes "attribution" one of the major challenges of law enforcement. But while identifying perpetrators is difficult enough in the physical world, it is even tougher in the cyber world, where the ways for perpetrators to cover their tracks or make it look like a breach was committed by someone else are both sophisticated and practically limitless.

Even experts who argue that credible attribution is possible don't claim it is easy or quick.

But the debate over whether it is even possible in any meaningful way continues to rage.

On one side are experts like Stewart Baker, a partner at the law firm Steptoe & Johnson who has also held high-level positions at both the National Security Agency (NSA) and Department of Homeland Security (DHS), whose only partially tongue-in-cheek "Baker's Law" has been, "Our security sucks. But so does theirs."

In other words, Baker's more serious argument, which he has made for years, is that attribution of cybercrimes ranging from theft to espionage is well within reach of the good guys because, "the same human flaws that make it nearly impossible to completely secure our networks are at work in our attackers too. And, in the end, those flaws will compromise the anonymity of cyberspies."

He is joined in that view by academics like Thomas Rid, professor of Security Studies at King's College London, coauthor of the recent paper, "Attributing Cyber Attacks."

[ Cybercrime Fight Hurt By Apathy, Law Enforcement Hurdles ]

In it, Rid and coauthor Ben Buchanan argue that attribution is not so much a black-and-white issue that is either solvable or not, but a more nuanced process that in large measure "depends on what states make of it," and "minimizing uncertainty."

On the other side are high-profile skeptics like Gary McGraw, CTO of Cigital; Bruce Schneier, CTO of Co3 Systems; Jeffrey Carr, president and CEO of Taia Global; and Marc Rogers, principal security researcher at CloudFlare.

McGraw has argued for years that while attribution is not impossible, it is close to it without credible human intelligence. "And people are unbelievably slow compared to computers," he said.

According to McGraw, there is a big difference between identifying a machine and identifying who controls it.

"You can compromise a box where one of those machines is installed, and find out a lot about that machine," he said. "But the question is: Who is running the machine? There's no blood or DNA mapping going on. If you're a nation-state-level attacker and want an adversary to believe that another nation state is doing it, there is nothing that can stop that."

[ Questions remain after FBI charges North Korea with attack on Sony Pictures ]

Carr contends that it is a matter of scale. He agrees in part with Stewart that security may be poor, but only for, "low-level attackers or amateurs." On a larger scale, he agrees with McGraw. Those weaknesses, he said, "don't apply to foreign intelligence services or professional mercenary hackers."

The debate on attribution has heated up again in the wake of the hack last fall of Sony Pictures Entertainment, which both FBI Director James Comey and Admiral Michael Rogers, director of the NSA, attributed to the Democratic Republic of North Korea. Comey went so far as to say that the "entire intelligence community" shared his confidence in that attribution.

Perhaps within government, but the view is not unanimous in the private sector.

In a recent podcast debate Baker hosted on attribution, that included both Rid and Carr, Rid argued that the U.S. got it right, and that outside critics need to acknowledge the reality that U.S. intelligence agencies have much more access to other countries' cyber infrastructure than they can publicly admit.

"An intelligence agency, especially a well-resourced and powerful intelligence agency like the NSA, will have more visibility into this space than any private company," he said. "That's just a fact of life."

To Carr's argument that other nation states hostile to the U.S. could be "spoofing" the origin of the attack, or that even an ally like South Korea might not be providing accurate information, Stewart responded that the NSA doesn't take anything at face value.

"Of course the NSA knows people may be lying to them," he said. "That's Tradecraft 101. The question is how do we verify, based on other info, what they're saying to each other and to other sources."

Joel Harding, a retired military intelligence officer and now a consultant on information operations, said he thinks, "attribution has improved tremendously. We have much better analytical tools for identifying code, techniques, unique exploits and signatures. We have better collaborative environments and education for the analysts from more experienced analysts and far greater cross-fertilization between analytical programs," he said.

But he agrees that the Sony attribution, coming only days after the intrusion was discovered, was "highly suspicious."

And critics like McGraw don't buy the argument that government has much better access to cyber intelligence than the private sector. "That's just BS," he said, noting past U.S. intelligence failures like the claim of weapons of mass destruction in Iraq. "Everybody likes to pretend they're more important than they really are," he said.

Rogers, writing on his personal blog, also remained skeptical, noting that leaked information from U.S. intelligence agencies claimed evidence had been gathered from North Korean networks that had been compromised by multiple parties.

"It's hard to say that anything coming from a machine that's been 'hacked to pieces' by multiple parties can definitively be attributed to anyone," he wrote.

And recent revelations have given more ammunition to the skeptics.

Carr's firm, Taia Global, announced just a week ago in a paper titled, "The Sony Breach: From Russia, No Love," that it had credible evidence that a team of Russian hackers had not only gained access to SPE in late 2014, but were still inside the company's network.

Taia said it was possible that the Russian attack was separate from the North Koreans, or that North Korea was telling the truth when it denied the attack, and, "that other hackers did, and at least one or more of those that did were Russian."

Taia relied on what it called, "a trusted Russian contact," a black-hat hacker who uses the alias "Yama Tough," who had served time in U.S. prison for cyber crimes and was deported to Russia upon his release.

Yama Tough made contact with who he said was a member of the team that hacked SPE, and provided Taia with documents and emails different from those that had already been made public -- one of them as late as Jan. 23.

That, the Taia report said, means SPE, "is still in a state of breach ... Yama Tough's Russian source appears to have at-will access to the company."

Carr, asked if his firm's report undermines his assertion that good attribution is next to impossible, said it was the human element that clinched it.

"When someone knocks on your door and hands you an envelope, assuming that you aren't blind, attribution is pretty easy," he said, adding that while he didn't trust Yama Tough in the beginning, "over time he has earned my trust by delivering lots of solid data to me."

Stewart, in a brief email interview, said the Taia revelation is, "interesting but doesn't draw the North Korea attribution into question."

Whatever the level of attribution accuracy, experts say it is well worth continuing to try to get it right. Harding said while the U.S. cannot prosecute state-sponsored hackers in China for espionage, it should affect the relationship between the two countries.

"It is almost impossible to quantify the amount of intellectual property stolen from U.S. servers," he said. "It is on a scale that defies belief."

Join the CSO newsletter!

Error: Please check your email address.

Tags Department of Homeland Securitysecuritynsalegalsonymalwarecybercrime

More about FBINational Security AgencyNSASony

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts